• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Correct syntax for hosts (whitelist for Snort)

Scheduled Pinned Locked Moved pfSense Packages
3 Posts 2 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    fakemoth
    last edited by Feb 17, 2015, 2:36 PM Feb 17, 2015, 1:05 PM

    Hello, first post here. I am very happy with pfSense, please don't ask me why I didn't run it until now :) even if I heard about it for years in TechSnap and LAS and others. But as always with noobs I have a few problems, mainly Snort ones.
    1. I have a /27 subnet, correctly configured and working, and a couple of servers in it (LAN)
    2. Snort is blocking tons of connections; I did follow your tutorials, did some reading and a lot of googling. And it is working but it blocks also legitimate connections. So as I understand I just have to do a lot of work and "customise" the Snort exceptions; I just don't want to throw whole rules as I did with mod_security lol
    3. Of course, I use an Alias for whitelisting and there I chosen "hosts" as it is my understanding that I can fill domain names and also IPs, subnets etc.
    Sometimes when I connect with VPN (just to access the interface, which accessible only in LAN) I am locked out due to UDP scanning - fine added my IP, but as I am tunelling from an DHCP connection this doesn't help me much. So what can I do here? [SOLVED] > reduced the threshold to "Low" for now, "Medium" was too strong.
    4. OMG it's blocking search engines - how can I whitelist those? If I am filling an IP in the Alias it is fine, no more banning. But the little clowns are of course also using other IPs - so I filled some fields with:
    google.com
    googlebot.com
    msn.com
    facebook.com
    you.get.it

    But it doesn't seem to work. So what is the correct way to input those big providers? With wildcards for the subdomains? And are those resolved (read somewhere that they are, on schedule, and all IPs added automatically), how to check if they are? Where can I find more info on the subject?

    BTW I am on the "Connection" setting, so it shouldn't be THAT aggressive…

    Don't take the name of root in vain!

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by Feb 17, 2015, 3:17 PM

      You cannot use FQDN (fully qualified domain names) in Snort.  It will not resolve them to their IP address.  This is currently a limitation of the plugin that provides the blocking function.

      So you can't whitelist something like *.google.com", for instance.

      Most of those rules that are firing I bet are from the HTTP_INSPECT preprocessor.  Many of those will false positive as they are very strictly analyzing and comparing web traffic to RFC standards.  Unfortunately, many web servers do not adhere rigidly to those standards.  I recommend following the advice of the Snort Master Suppress List thread (search for it in the Packages forum) and add suppress entries for a bunch of the HTTP_INSPECT rules.  You can also just disable those completely.

      Bill

      1 Reply Last reply Reply Quote 0
      • F
        fakemoth
        last edited by Feb 19, 2015, 7:47 AM Feb 18, 2015, 10:57 AM

        Thanks for the info, I was already on the right track, but good to have a confirmation! One has only so much time for reading. The thread you are mentioning is very interesting and I am reading it whole; thanks once again, the forum suppression topic already helped a lot.

        This is [/SOLVED]

        Don't take the name of root in vain!

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received